[PATCH OLK-6.6] dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor

From: Olivier Dautricourt olivierdautricourt@gmail.com

stable inclusion from stable-v6.6.50 commit 20bf2920a869f9dbda0ef8c94c87d1901a64a716 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARVBS CVE: CVE-2024-46716

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

--------------------------------

[ Upstream commit 54e4ada1a4206f878e345ae01cf37347d803d1b1 ]

Remove list_del call in msgdma_chan_desc_cleanup, this should be the role of msgdma_free_descriptor. In consequence replace list_add_tail with list_move_tail in msgdma_free_descriptor.

This fixes the path: msgdma_free_chan_resources -> msgdma_free_descriptors -> msgdma_free_desc_list -> msgdma_free_descriptor

which does not correctly free the descriptors as first nodes were not removed from the list.

Signed-off-by: Olivier Dautricourt olivierdautricourt@gmail.com Tested-by: Olivier Dautricourt olivierdautricourt@gmail.com Link: https://lore.kernel.org/r/20240608213216.25087-3-olivierdautricourt@gmail.co... Signed-off-by: Vinod Koul vkoul@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org

Conflicts: drivers/dma/altera-msgdma.c [Context conflicts.] Signed-off-by: Jinjiang Tu tujinjiang@huawei.com --- drivers/dma/altera-msgdma.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/dma/altera-msgdma.c b/drivers/dma/altera-msgdma.c index 4153c2edb049..ff231c984b9f 100644 --- a/drivers/dma/altera-msgdma.c +++ b/drivers/dma/altera-msgdma.c @@ -233,7 +233,7 @@ static void msgdma_free_descriptor(struct msgdma_device *mdev, struct msgdma_sw_desc *child, *next;

mdev->desc_free_cnt++; - list_add_tail(&desc->node, &mdev->free_list); + list_move_tail(&desc->node, &mdev->free_list); list_for_each_entry_safe(child, next, &desc->tx_list, node) { mdev->desc_free_cnt++; list_move_tail(&child->node, &mdev->free_list); @@ -587,8 +587,6 @@ static void msgdma_chan_desc_cleanup(struct msgdma_device *mdev) list_for_each_entry_safe(desc, next, &mdev->done_list, node) { struct dmaengine_desc_callback cb;

- list_del(&desc->node); - dmaengine_desc_get_callback(&desc->async_tx, &cb); if (dmaengine_desc_callback_valid(&cb)) { spin_unlock(&mdev->lock);